Management of Information Security, 4th Edition

Transcript:Management of Information Security, 4th Edition:
Management of Information Security, 4th Edition Chapter 9 Risk Management: Controlling Risk Objectives Recognize the strategy options used to control risk and be prepared to select from them when given background information Evaluate risk controls and formulate a cost-benefit analysis (CBA) using existing conceptual frameworks Explain how to maintain and perpetuate risk controls Describe popular approaches used in the industry to manage risk Management of Information Security, 4th Edition 2 Risk Control Strategies Once the InfoSec development team has created the ranked vulnerability worksheet, the team must choose one of five basic control strategies: Defense Transferal Mitigation Acceptance Termination Management of Information Security, 4th Edition 3 Defense Defense risk control strategy - attempts to prevent the exploitation of the vulnerability Accomplished by means of countering threats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards Sometimes referred to as avoidance Three common methods of risk defense: Application of policy Application of training and education Implementation of technology Management of Information Security, 4th Edition 4 Transferal Transferal risk control strategy - attempts to shift the risk to other assets, other processes, or other organizations May be accomplished by: Rethinking how services are offered Revising deployment models Outsourcing to other organizations Purchasing insurance Implementing service contracts with providers Management of Information Security, 4th Edition 5 Mitigation Mitigation risk control strategy - attempts to reduce the damage caused by a realized incident or disaster By means of planning and preparation Includes three types of plans Incident response (IR) plan Disaster recovery (DR) plan Business continuity (BC) plan Mitigation depends on the ability to detect and respond to an attack as quickly as possible Management of Information Security, 4th Edition 6 Table 9-1 Summary of mitigation plans Management of Information Security, 4th Edition 7 Acceptance Acceptance risk control strategy - the decision to do nothing to protect an information asset from risk and accept the outcome Acceptance is recognized as a valid strategy only when the organization has: Determined the level of risk posed to the information asset Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability Estimated the potential damage or loss that could result from attacks Management of Information Security, 4th Edition 8 Acceptance (continued) Acceptance is recognized as a valid strategy only when the organization has (cont’d): Evaluated potential controls using each appropriate type of feasibility Performed a thorough CBA Determined that